b"                                    Office of the Inspector General\n                    United States Government Accountability Office\n\n\nGAO/OIG\n\nJune 2010\n               SEMIANNUAL\n               REPORT\n\n               October 1, 2009 \xe2\x80\x93\n               March 31, 2010\n\n\n\n\nGAO/OIG-10-5\n\x0c                                                               Office of the Inspector General\n                                               United States Government Accountability Office\n\n\n\n\nMemorandum\nDate:        June 15, 2010\n\nTo:          Acting Comptroller General Gene L. Dodaro\n\nFrom:        Inspector General Frances Garcia\n\nSubject:     Semiannual Report\xe2\x80\x94October 1, 2009, through March 31, 2010\n\nIn accordance with Section 5 of the Government Accountability Office Act of 2008\n(GAO Act), I am submitting my semiannual report for the first half of fiscal year 2010\nfor your comments and its transmission to the Congress.\n\nDuring this period, the Office of the Inspector General (OIG) continued its efforts to\nfinalize a number of actions to implement requirements contained in the GAO Act and\ncertain provisions in the Inspector General Reform Act of 2008. For example, we\nsubstantially revised and strengthened the OIG order to reflect our statutory role and\nresponsibilities and are moving forward to obtain the input and concurrence of other\nstakeholders, which is an important and necessary step in the process of adopting\nand implementing the revised OIG order. We also made changes to the OIG Web site\nand the OIG Hotline in order to improve the visibility of OIG and to enhance GAO\nemployees' understanding of OIG's role, as well as to encourage employees to use the\nHotline to report to OIG any situation involving possible wrongdoing at GAO. In\naddition, we continued to participate in the activities of the broader Inspector\nGeneral community, including the Council of Inspectors General on Integrity and\nEfficiency and the Legislative Branch Inspectors General quarterly meetings.\n\nAudits and Inspections\n\nDuring the reporting period, we issued two audit reports with recommendations and\nconducted an inspection. The audits evaluated GAO\xe2\x80\x99s (1) testimony performance\nmeasure 1 and (2) information security program and practices for fiscal year 2009. 2\n(See the attachment for a summary of these reports and GAO actions to address the\nreports\xe2\x80\x99 recommendations.) Furthermore, we completed the first phase of our audit\nof GAO\xe2\x80\x99s fiscal year 2009 financial benefit claims of $1 billion or more, which focused\n\n1\nGAO, Office of the Inspector General, Testimony Measure: Verification of Performance Data Could\nBe Improved, GAO/OIG-10-1 (Washington, D.C.: Nov. 18, 2009).\n2\nGAO, Office of the Inspector General, Information Security: Evaluation of GAO\xe2\x80\x99s Information\nSecurity Program and Practices for Fiscal Year 2009, GAO/OIG-10-3 (Washington, D.C.: Jan. 4, 2010).\n\n\nPage 1                                                         GAO/OIG-10-5 Semiannual Report\n\x0con the reasonableness of the amounts claimed. As the Acting Comptroller General\nrequested, we advised him of our results, including that we determined GAO had a\nreasonable basis to claim these benefits, before the publication of GAO\xe2\x80\x99s fiscal year\n2009 Performance and Accountability Report 3 \xe2\x80\x94hereafter referred to as the annual\nperformance report. The Inspector General cited this work in her November 5, 2009,\nmemorandum to the Acting Comptroller General, which was published in GAO\xe2\x80\x99s\nannual performance report. Phase two of our financial benefits performance measure\nwork, part of our ongoing work, analyzes the adjustments that GAO made to claimed\nbenefit amounts in response to our audit. Our ongoing work also includes a review\nexamining the effectiveness of agency controls to reduce the risk of employee misuse\nof government travel cards.\n\nWe also conducted an inspection of the policies and procedures for conducting\ninvestigations used by GAO\xe2\x80\x99s Forensic Audits and Special Investigations mission\nteam. We did this inspection to determine whether these policies and procedures are\nconsistent with federal investigation quality standards and were followed for specific\ninvestigative work.\n\nInvestigations and Hotline Activities\n\nRegarding our efforts to identify potential fraud, waste, and abuse within GAO, OIG\nhas a toll-free Hotline number that is staffed by a contractor 24 hours a day, 7 days a\nweek. 4 The Hotline is OIG\xe2\x80\x99s primary source of complaints. OIG staff also receive\ncomplaints via telephone calls, faxes, e-mail messages, and personal visits during\nregular duty hours. During the 6-month reporting period, we addressed 145 inquiries\nand allegations (referred to in the following table and text as complaints).\n\nSummary of OIG Activity October 1, 2009 \xe2\x80\x93 March 31, 2010\n\n                                                  Complaints\n\n                                                          Closed,\n    Open at                         Referred to       insufficient   Referred to               Open at\n    start of                         FraudNet        information/    other GAO                  end of\n    period         Received   (Non-GAO-related)          no basis          units   Completed    period\n    3                  142                 103                 22             5            2       13\nSource: GAO OIG.\n\n\n\nOf the 3 open cases from the prior semiannual report period, we closed 1 after\nconducting some initial investigative work and determining that no additional action\nwas needed. The other 2 cases remained open at the end of this reporting period.\nAlso, in this reporting period, we received 142 complaints through our Hotline and\nother sources. Because 103 of these 142 complaints concerned matters related to\n\n3\nGAO, Performance and Accountability Report\xe2\x80\x94Fiscal Year 2009, GAO-10-234SP (Washington, D.C.:\nNov. 13, 2009).\n4\n The toll-free number is (866) 680-7963.\n\n\nPage 2                                                                 GAO/OIG-10-5 Semiannual Report\n\x0cother federal agencies, we referred them to GAO\xe2\x80\x99s FraudNet\xe2\x80\x94a governmentwide\nHotline that receives complaints of fraud, waste, and abuse of federal funds. We\nassisted the Federal Bureau of Investigation in 1 investigation of a complaint about a\nmultimillion-dollar fabricated check that was purported to have been issued by GAO,\nand we closed another investigation of a complaint submitted by another federal\nagency regarding an employee\xe2\x80\x99s potential misrepresentation of GAO or its officials.\nThis latter investigation, which OIG began then referred to another GAO unit,\ndetermined that the employee did not commit an ethics violation. However, the\ninvestigation did result in the employee undergoing additional training. We closed an\nadditional 21 cases due to insufficient information or after initial evaluation of the\ncomplaints determined that there was no basis for action. We also referred to other\nGAO units another 5 cases that involved e-mail scams, a health-and-safety concern,\nand a concern that the format used by GAO in its report products may result in\nexcessive paper use. At the end of the reporting period, 13 cases remained open,\nwhich included 11 received during this reporting period.\n\nAgency Actions on Recommendations Made in Prior OIG Reports\n\nIn response to recommendations made in prior OIG reports, GAO has taken the\nfollowing actions:\n\n    \xe2\x80\xa2   Based on four recommendations in our report on four GAO performance\n        measures that address employee satisfaction, 5 the agency made the following\n        changes. First, to provide greater clarity that the leadership measure assesses\n        employee satisfaction with immediate supervisors, GAO changed the measure\xe2\x80\x99s\n        name from \xe2\x80\x9cleadership\xe2\x80\x9d to \xe2\x80\x9ceffective leadership by supervisors.\xe2\x80\x9d Second, to give a\n        more complete interpretation of the measures, the agency has provided\n        additional information on how the measures are calculated in its annual\n        performance report. 6 Third, to provide more useful information on the agency\xe2\x80\x99s\n        progress in creating a more diverse work environment, GAO made changes to the\n        questions comprising the leadership measure. Fourth, the agency developed\n        written procedures to ensure that future changes made to performance\n        measures, and any effects from these changes, are promptly reported in its\n        annual performance report.\n\n    \xe2\x80\xa2   Based on work we had initiated on evaluating the performance data for GAO\xe2\x80\x99s\n        timeliness performance measure, GAO completed its analysis of the issues that\n        we raised and took some steps to revise how the agency reported the data in its\n        fiscal year 2009 annual performance report. Our work focused on GAO\xe2\x80\x99s\n        electronic customer feedback form and its question on customer satisfaction\n\n5\nGAO, Office of the Inspector General, Four People Measures: Many Attributes of Successful\nMeasures Met; Opportunities Exist for Further Enhancements, GAO/OIG-09-3 (Washington, D.C.:\nAug. 31, 2009).\n6\n All four measures are derived from staff\xe2\x80\x99s responses to GAO\xe2\x80\x99s Employee Feedback Survey.\n\n\n\n\nPage 3                                                           GAO/OIG-10-5 Semiannual Report\n\x0c     with the timeliness of GAO reports. The answers to this question provide the\n     basis for the performance measure data. Among the actions taken, GAO no\n     longer represents its electronic customer feedback form as a survey to avoid any\n     confusion that this outreach approach meets standards and guidelines for\n     statistical surveys. Also, to assist readers in understanding GAO\xe2\x80\x99s approach, the\n     agency has added an explanation of how it calculated its on-time percentage in\n     its annual performance report.\n\nMoreover, GAO took final action that closed two open recommendations from a\nreport issued prior to this reporting period. Based on our September 2008 report on\ndiversity at GAO, 7 the agency made final its order 8 to establish an annual requirement\nfor a Workforce Diversity Plan and to clarify responsibilities and procedures when a\ncomplaint involves staff within GAO\xe2\x80\x99s Office of Opportunity and Inclusiveness.\n\nFinally, I want to thank GAO\xe2\x80\x99s Executive Committee, managers, and staff for their\ncooperation during our reviews.\n\nAttachment\n\ncc: Chief Administrative Officer, GAO\n    Acting General Counsel, GAO\n    Chair and Members, GAO Audit Advisory Committee\n\n\n\n\n7\nGAO, Office of the Inspector General, Diversity At GAO: Sustained Attention Needed to Build on\nGains in SES and Managers, GAO-08-1098 (Washington, D.C.: Sept. 10, 2008).\n8\n GAO, Order 2713.2, Discrimination Complaint Resolution Process (Washington, D.C.: Dec. 9, 2009).\n\n\nPage 4                                                           GAO/OIG-10-5 Semiannual Report\n\x0cAttachment I\n\n\n                   Summary of GAO Office of the Inspector General\n                             Reports and GAO Actions\n\n\nReports Issued October 1, 2009, through March 31, 2009 9\n\nTestimony Measure: Verification of Performance Data Could Be Improved\n(GAO/OIG-10-1, Nov. 18, 2009)\n\nFindings: The Office of the Inspector General (OIG) found that the number of\nhearings was slightly less than the 304 reported as performance data for fiscal year\n2008. Based on the results of our work, the agency\xe2\x80\x99s Office of Congressional\nRelations reviewed the fiscal year 2008 data and stated that the actual number of\nhearings was 298. The primary reason for the difference was that 5 hearings\xe2\x80\x94at\nwhich two GAO officials provided separate testimonies\xe2\x80\x94were counted twice, for a\ntotal of 10 hearings. We identified several factors that contributed to the difference,\nsuch as the need to update existing procedures to verify the accuracy of testimony\nperformance measure data.\n\nRecommendation and GAO Actions: OIG recommended that GAO management\ninclude in its revised procedures specific steps for addressing the type of issues\nidentified in our review and verifying the accuracy of testimony performance data\nprior to their publication. GAO agreed with our recommendation and has issued\nrevised procedures to address the issues discussed in this report. In addition, the\nagency has revised the number of hearings that it reports for fiscal year 2008 in its\nannual performance reports.\n\n\nInformation Security: Evaluation of GAO\xe2\x80\x99s Information Security Program and\nPractices for Fiscal Year 2009 (GAO/OIG-10-3, Jan. 4, 2010) 10\n\nFindings: Overall, the OIG\xe2\x80\x99s evaluation showed that GAO has established an\ninformation security program consistent with the requirements of the Federal\nInformation Security Management Act of 2002, Office of Management and Budget\n(OMB) implementing guidance, and guidance and standards issued by the National\nInstitute of Standards and Technology (NIST). However, it also found that GAO\xe2\x80\x99s\ninformation security policies and procedures were not always applied, and that some\ncould be improved to help ensure that they are consistent with the OMB and NIST\nguidance. For example, OIG found that during fiscal year 2009, GAO greatly increased\nits systems inventory from 12 to 35 systems but did not complete all of the required\nsecurity processes and procedures (such as preparing system security plans) for\nmany of the newly added systems. In addition, GAO\xe2\x80\x99s incident response and handling\n\n9\nWe also issued our previous semiannual report\xe2\x80\x94GAO, Office of the Inspector General, Semiannual\nReport: April 1, 2009, through September 30, 2009, GAO/OIG-10-2 (Washington, D.C.: Dec. 7, 2009).\n10\n Because the full report contains sensitive information, only our Highlights page is publicly available\non http://www.gao.gov. However, congressional members can request the full report.\n\n\nPage 5                                                             GAO/OIG-10-5 Semiannual Report\n\x0cAttachment I\n\n\nprocedures provide a process for investigating security events, such as a denial-of-\nservice attack; however, the decision of whether to classify such events as an\nincident\xe2\x80\x94and thus, to consider reporting them to other external organizations\xe2\x80\x94\nneeds additional management involvement. Also, GAO has continued to make\nprogress in establishing its privacy program and protecting personally identifiable\ninformation. Implementing additional requirements, such as providing annual privacy\nawareness training, would help to further strengthen this program.\n\nRecommendations and GAO Actions: This report includes recommendations to\nGAO to (1) complete and document required information security processes and\nprocedures for all systems in the systems inventory, (2) modify the agency\xe2\x80\x99s incident\nhandling and response procedures to increase Chief Information Officer involvement\nin the incident classification process to help ensure that security events are\nappropriately classified and reported, and (3) continue efforts to implement\nadditional requirements for the agency\xe2\x80\x99s privacy program. GAO concurred with these\nrecommendations and plans to complete implementation of planned actions by\nSeptember 30, 2010. GAO reported that its planned actions include the following:\n(1) completing system security plans for systems added to GAO\xe2\x80\x99s inventory in fiscal\nyear 2009; (2) establishing a process to provide the Chief Information Officer with a\nmonthly briefing on monitored security events that require further analysis; and\n(3) drafting a privacy incident response guide with breach identification, notification,\nand remediation procedures, proposing revisions to a computer security response\nguide, and drafting a privacy training module for all staff.\n\n\n\n\n(998286)\n\n\nPage 6                                                    GAO/OIG-10-5 Semiannual Report\n\x0c                          To report fraud, waste, and abuse in GAO\xe2\x80\x99s internal operations, do one of\nReporting Fraud,          the following. (You may do so anonymously.)\nWaste, and Abuse in\n                      \xe2\x80\xa2   Call toll-free (866) 680-7963 to speak with a hotline specialist, available 24\nGAO\xe2\x80\x99s Internal            hours a day, 7 days a week.\nOperations\n                      \xe2\x80\xa2   Send an e-mail to OIGHotline@gao.gov.\n\n                      \xe2\x80\xa2   Send a fax to the OIG Fraud, Waste, and Abuse Hotline at (202) 512-8361.\n\n                      \xe2\x80\xa2   Write to:\n                          GAO Office of Inspector General\n                          441 G Street NW, Room 1808\n                          Washington, DC 20548\n\n                          To obtain copies of OIG reports and testimony, go to GAO\xe2\x80\x99s Web site:\nObtaining Copies of       www.gao.gov/about/workforce/ig.html.\nGAO/OIG Reports and\nTestimony\n\n                          Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400\nCongressional             U.S. Government Accountability Office, 441 G Street NW, Room 7125\nRelations                 Washington, DC 20548\n\n                          Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800\nPublic Affairs            U.S. Government Accountability Office, 441 G Street NW, Room 7149\n                          Washington, DC 20548\n\n\n\n\n                          This is a work of the U.S. government and is not subject to copyright protection in the\n                          United States. The published product may be reproduced and distributed in its entirety\n                          without further permission from GAO. However, because this work may contain\n                          copyrighted images or other material, permission from the copyright holder may be\n                          necessary if you wish to reproduce this material separately.\n\n\n\n\n                                 Please Print on Recycled Paper\n\x0c"